CN102438016A - Method for acquiring subordinate progress of message, access control method and device, and equipment - Google Patents
Method for acquiring subordinate progress of message, access control method and device, and equipment Download PDFInfo
- Publication number
- CN102438016A CN102438016A CN2011104155192A CN201110415519A CN102438016A CN 102438016 A CN102438016 A CN 102438016A CN 2011104155192 A CN2011104155192 A CN 2011104155192A CN 201110415519 A CN201110415519 A CN 201110415519A CN 102438016 A CN102438016 A CN 102438016A
- Authority
- CN
- China
- Prior art keywords
- filtration drive
- communication event
- address
- number information
- port number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method for acquiring a subordinate progress of a message, an access control method and device, and network communication equipment. The method for acquiring the subordinate progress of the message comprises the following steps of: monitoring a communication event of an application program by a first filter driver which is arranged between an ancillary function driver (AFD) and a protocol driver; and acquiring an Internet protocol (IP) address, port number information and a corresponding progress identity (ID) which are relevant to the communication event, and sending to a second filter driver which is arranged between the protocol driver and a network card driver, wherein when receiving the message which is transceived by the application program, the second filter driver can determine the subordinate progress ID of the message according to the IP address and/or the port number information of the message and the stored IP address, the port number information and the corresponding progress ID. The access control over different application programs is realized by using access control strategies corresponding to different progress IDs. By the invention, the filter driver which is arranged between the protocol driver and the network card driver can acquire the subordinate progress of the message; and the access control over the granularity level of the application program is realized.
Description
Technical field
The present invention relates to the computer communication technology field, relate in particular to a kind of method, access control method, device and network communication equipment of knowing the affiliated process of message.
Background technology
The network-driven framework of Windows kernel is as shown in Figure 1, and portlet drives (being that network interface card drives), protocol-driven, AFD drives these three modules and constituted three levels that the Windows core network drives.Portlet drive and protocol-driven between, follow the network-driven interface specification (Network Driver Interface Specification, NDIS) standard is carried out alternately; Protocol-driven and miscellaneous function drive (Ancillary Function Driver, AFD) between, (Transport Driver Interface, TDI) standard is carried out alternately to follow TDI.
TDI is positioned between the upper layer network assembly (like afd.sys) and protocol-driven (driving like ICP/IP protocol) of Windows; It has stipulated a socket standard; Any one upper layer network assembly, as long as follow the TDI standard, each procotol in just can the call operation system drives.TDI is the networking command of upper layer network assembly, like name resolving, connect, send or receive data etc., describes with same set of instruction set, changes into IRP (I/O Request Packet, the input and output request package) instruction that protocol-driven can be discerned.The TDI client so the upper layer network assembly is otherwise known as, protocol-driven is called as the TDI transmitter.
Protocol-driven is positioned on the network interface card driving, under the TDI client.TDI client to the upper strata has opened interior nuclear equipment, can receive the instruction that send on the upper strata, and is packaged into network frame, follows the NDIS standard and sends the network interface card driving to.And it is responsible from network interface card driving receiving network data message, formation communication event, the TDI client above the notice (according to the event call-back function of the prior setting of TDI).AFD drives the IRP instruction that sends to these equipment, through the processing that ICP/IP protocol drives, has just become the Ethernet bag of series of standards.
Protocol-driven is equivalent to transport layer+network layer in the OSI seven layer model.
Network-driven interface specification (Network Driver Interface Specification; NDIS) by Microsoft and 3COM jointly exploitation in 1992; Be that the Windows network interface card is driven into the communication specification between the protocol-driven; The protocol-driven of following the exploitation of NDIS standard just is called the NDIS protocol-driven, and modal is that ICP/IP protocol drives.Following table 1 is the corresponding NDIS version of each version of window:
Table 1
| Version of window | The NDIS version |
| Windows2000 | 5.0 |
| WindowsXP | 5.1 |
| Windows2003 | 5.1 |
| WindowsVista | 6.0 |
| Windows2008 | 6.1 |
| Windows7 | 6.2 |
The NDIS intermediate layer drives, and is a kind of mixed type driver, and it combines the function of protocol-driven and portlet driving.It is between protocol-driven and portlet driving, and is as shown in Figure 2, is protocol-driven above, is that portlet drives below.In fact it has played the part of double-face person's role: concerning top protocol-driven, it is that portlet drives; Portlet below it drove, it was a protocol-driven.
As can beappreciated from fig. 2, all interacting activities between protocol-driven and portlet drive all will pass through this NDIS intermediate layer and drive, and are called the NDIS filtration drive again so the NDIS intermediate layer drives.The flow through message of this driving all is the unprocessed form message that is about to be dealt on the network or comes in from network.Drive the inside at this, can tackle and revise protocol-driven and the bottom portlet network packet between driving, for example 1. through or filter out; 2. postpone or rearrangement; 3. encrypt or deciphering; 4. compress or decompress(ion); 5. increase or delete flag.Also can do network address translation (Network Address Translation, NAT), load balance and inefficacy replacement (Adapter Load Balancing And Fail-Over, LBFO).
Because this type intermediate layer (filtration) drives the lower level that is in network service; Can't know the message of flowing through, belong to which process ID, this feature limits the function of institute's development; Can't refine to this granularity rank of application software, as only to the control that conducts interviews of certain specific software.
Summary of the invention
The embodiment of the invention provides a kind of method, access control method, device and network communication equipment of knowing the affiliated process of message; In order to solve that existing protocol drives and the filtration drive of network interface card between driving owing to be positioned at the network service lower level; The affiliated process of message can't be known, and then also the problem that concrete application program is carried out corresponding access control can't be directed against.
Based on the problems referred to above, a kind of method of knowing the affiliated process of message that the embodiment of the invention provides comprises:
The communication event of the first filtration drive application programs of between AFD driving and protocol-driven, disposing is monitored;
When monitoring when having application program generation communication event; Said first filtration drive is obtained the process ID of the relevant IP address of this communication event, port number information and correspondence and is sent to second filtration drive that is deployed between protocol-driven and the network interface card driving according to the communication event that is taken place;
Second filtration drive receives said IP address, port number information and corresponding process ID and preservation;
When said second filtration drive receives the message of application program transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that said message is affiliated.
The access control method of a kind of application program that the embodiment of the invention provides comprises:
The communication event of the first filtration drive application programs of between AFD driving and protocol-driven, disposing is monitored;
When monitoring when having application program generation communication event; Said first filtration drive is obtained the process ID of the relevant IP address of this communication event, port number information and correspondence and is sent to second filtration drive that is deployed between protocol-driven and the network interface card driving according to the communication event that is taken place;
Second filtration drive receives said IP address, port number information and corresponding process ID and preservation;
When said second filtration drive receives the message of process transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that said message is affiliated;
Said second filtration drive is according to the corresponding access control policy of each process ID that is provided with in advance, and the communication event of this application program is carried out corresponding access control operation.
A kind of device of knowing the affiliated process of message that the embodiment of the invention provides comprises:
The first filtration drive module is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module according to the communication event that is taken place;
The second filtration drive module is deployed between the driving of protocol-driven and network interface card, is used to receive said IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving,, confirm the process ID that said message is affiliated according to the IP address that receives, port and corresponding process ID.
The access control apparatus of a kind of application program that the embodiment of the invention provides comprises:
The first filtration drive module is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module according to the communication event that is taken place;
The second filtration drive module is deployed between the driving of protocol-driven and network interface card, is used to receive said IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving; According to the IP address that receives, port and corresponding process ID; Confirm the process ID that said message is affiliated; And, the communication event of this application program is carried out corresponding access control operation according to the corresponding access control policy of each process ID that is provided with in advance.
The network communication equipment that the embodiment of the invention provides, what comprise that the embodiment of the invention provides above-mentionedly knows the device of process under the message and/or the access control apparatus of above-mentioned application program.
The beneficial effect of the embodiment of the invention comprises:
Method, access control method, device and the network communication equipment of knowing the affiliated process of message that the embodiment of the invention provides, the communication event that is deployed in the first filtration drive application programs between AFD driving and the protocol-driven is monitored; The IP address that the obtaining communication incident is relevant, port number information and corresponding process ID; And send to and be deployed in protocol-driven and network interface card second filtration drive between driving; Like this, second filtration drive can be according to the IP address and/or the port number information of this message when receiving the message of application program transmitting-receiving; And the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that this message is affiliated.And then can use the control that conducts interviews of the corresponding access control policy application programs of different process IDs; The embodiment of the invention solved be deployed in that protocol-driven and network interface card drive between filtration drive know and the problem of process ID under the message realized other access control of application program particle size fraction.
Description of drawings
Fig. 1 is the sketch map of the network-driven framework of Windows kernel;
The configuration diagram that Fig. 2 drives for the NDIS intermediate layer;
The flow chart of knowing the method for process under the message that Fig. 3 provides for the embodiment of the invention;
The driving framework sketch map of the instance that Fig. 4 provides for the embodiment of the invention;
The flow chart of the instance that Fig. 5 provides for the embodiment of the invention;
The conduct interviews flow chart of method of control of the application programs that Fig. 6 provides for the embodiment of the invention;
The structural representation of knowing the device of process under the message that Fig. 7 provides for the embodiment of the invention;
The structural representation of the access control apparatus of the application program that Fig. 8 provides for the embodiment of the invention.
Embodiment
Below in conjunction with Figure of description, a kind ofly know that the embodiment of method, access control method, device and the network communication equipment of process under the message describes to what the embodiment of the invention provided.
A kind of method of knowing the affiliated process of message that the embodiment of the invention provides, as shown in Figure 3, specifically may further comprise the steps:
S301, AFD drive and protocol-driven between the communication event of the first filtration drive application programs of disposing monitor;
S302, when monitoring when having application program generation communication event, first filtration drive is obtained the relevant IP address of this communication event, port number information and corresponding process ID according to the communication event that is taken place;
S303, first filtration drive send to second filtration drive that is deployed between protocol-driven and the network interface card driving with the IP address that obtains, port number information and corresponding process ID;
S304, second filtration drive receive said IP address, port number information and corresponding process ID and preservation;
S305, when second filtration drive receives the message of application program transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID under the said message.
In the above-mentioned method of knowing process under the message that the embodiment of the invention provides; Need between AFD driving and protocol-driven, to dispose the intermediate layer in advance and drive (first filtration drive); Between protocol-driven and network interface card driving, dispose the intermediate layer and drive (second filtration drive); First filtration drive can be TDI filtration drive or other can be deployed in that AFD drives and protocol-driven between filtration drive, second filtration drive can be that the NDIS intermediate layer drives or other can be deployed in protocol-driven and the network interface card filtration drive between driving.
Among the above-mentioned steps S301, the communication event of the first filtration drive application programs is monitored, and TCP that can be through application programs and/or UDP communication operation are monitored and realized.
Specifically, first filtration drive can be monitored following TCP communication operation:
Application program initiates to create TCP socket connection, the external TCP of initiation connects, accepts TCP and connects or the like.
First filtration drive is monitored following UDP communication operation:
Application program is initiated to create UDP socket and is connected, sends packet, accepts packet or the like.
Among the above-mentioned steps S302, first filtration drive is obtained the relevant IP address of this communication event, port number information and corresponding process ID according to the communication event that is taken place, and realizes through following manner:
Instruction bag (for example IRP instruction bag) or packet (for example UDP message bag) that first filtration drive is intercepted and captured communication event obtain the IP address, port number information and the corresponding process ID that comprise in instruction bag or the packet.
In the Windows kernel, use IRP instruction bag to communicate between driving and driving usually.
Second filtration drive can be returned admission confirm to first filtration drive after the process ID that receives IP address, port and the correspondence of sending in first intermediate layer;
First filtration drive is after receiving the admission confirm that second filtration drive returns, and the instruction bag or the packet of the communication event intercepted and captured of can letting pass let communication event proceed, and like this, second filtration drive is follow-up just can receive message.
Among the above-mentioned steps S303, when second filtration drive receives process ID that first filtration drive sends and corresponding IP address and port number information, in the corresponding lists of local maintenance IP, port and a process ID; Like this; In step S304, when second filtration drive captures the message of application program transmitting-receiving, can be according to the information of IP in this message and/or port; Mate with the correspondence table of safeguarding, search the affiliated process ID of this message.
Further; When first filtration drive is intercepted and captured the instruction bag of certain communication event end; Obtain relevant IP address, port number information and the corresponding process ID of this communication event that comprises in this instruction bag, the IP address that gets access to, port number information and corresponding process ID are carried in the instruction of indicating this communication event to finish send to second filtration drive;
Second filtration drive is according to the instruction of this communication event end of indication of first filtration drive transmission, the record of the process ID of the local IP address that matches of preserving of deletion, port number information and correspondence.
Below concrete example above-mentioned method of knowing process under the message of explaining that the embodiment of the invention provides, in this example, first filtration drive is the TDI filtration drive, second filtration drive is that the NDIS intermediate layer drives, the bogie composition is as shown in Figure 4.
The flow process of this instance is as shown in Figure 5, comprises the steps:
1, application program is outwards initiated the Socket connection.
The external Socket of application program connects, and creates a Socket before this, can use IRP instruction indication to create address object, connecting terminal object, and at this time TDI filtration drive (i.e. first filtration drive) is bound program process ID and address object; When application call connect function externally connected, the I/O manager of Windows can issue an IRP instruction that contains TDI CONNECT order.
2, the TDI filtration drive is intercepted and captured the IRP instruction that contains TDI CONNECT order, therefrom extracts agreement, IP, port number information; According to the address object among the IRP, the binding relationship of integrating step 1 detects the process ID of application program.
3, after the TDI filtration drive is obtained these information; Do not issue earlier the IRP instruction of being intercepted and captured; But set up with the communication between the driving of NDIS intermediate layer; A newly-built IRP, the process ID information of the agreement that this communication event is relevant, both sides IP, both sides' port numbers, correspondence is notified to NIDS intermediate layer driving (i.e. second filtration drive) through this newly-built IRP.
4, the NDIS intermediate layer drives the correspondence table the inside that these information is kept at IP, port number information and process ID.
5, the NDIS intermediate layer drives to the TDI filtration drive and returns the IRP feedback.
In this step 5, in order promptly to feed back, the NDIS intermediate layer can generate new IRP, and the IRP that directly the TDI filtration drive is sent before the feedback gets final product for the TDI filtration drive.
6, after the TDI filtration drive waited for that the IRP that gives notice returns, the relevant IRP instruction of original socket that intercepts and captures that lets pass was proceeded communication.
7, this IRP instructed into protocol layer, became the handshake message that TCP connects, and drove through the NDIS intermediate layer and to be handed down to network interface card and to drive.The NDIS intermediate layer drives and from message, extracts both sides IP address and port, matees with the information in the correspondence table, knows which process ID this message belongs to.
8, the communication of application program is proceeded; The TDI filtration drive is all let pass to the IRP of transceive data, and the NDIS intermediate layer drives from the transmitting-receiving message of intercepting and capturing, and extracts both sides IP address and port; Mate with the information in the coupling formation, know which process ID this message belongs to.
9, the TDI filtration drive captures the IRP instruction that Socket connects disconnection, therefrom gets access to IP address, port and the process ID of communicating pair.
10, the TDI filtration drive is issued the driving of NDIS intermediate layer with the IP address, port number information and the process ID that get access to through the IRP instruction, informs that socket connects disconnection.
11, the NDIS intermediate layer drives the record deletion with this IP address, port and process ID in the correspondence table of safeguarding.
12, the NDIS intermediate layer drives and returns the IRP feedback.
Similarly, in this step 12, for rapid feedback, the NDIS intermediate layer can generate new IRP, and the IRP that directly the TDI filtration drive is sent before the feedback gets final product for the TDI filtration drive.
In the above-mentioned flow process, the TDI filtration drive is sent IRP information and is driven to NDIS, and the time that is spent is very short, and owing to only can set up and each sends once when breaking off connecting, and communication efficiency that can application programs impacts.
Above-mentioned instance is outwards initiated Socket and is connected to example explanation to monitor application program, receives for application program that outside Socket connects, or flow process through modes such as monitoring UDP communications, owing to all can relate to the process of TDI establishment address object in these processes; In this process, the TDI filtration drive can be known the incidence relation of local IP, port numbers and process ID, and the TDI filtration drive informs that with this incidence relation the NDIS intermediate layer drives; Like this; In the process of follow-up Socket connection or data packet transceive, just can know the affiliated ID of message according to these incidence relations; Similar with the flow process of above-mentioned instance, repeat no more at this.
The embodiment of the invention also provides a kind of method that conducts interviews and control according to the process ID application programs, and is as shown in Figure 6, comprising:
S601, AFD drive and protocol-driven between the communication event of the first filtration drive application programs of disposing monitor;
S602, when monitoring when having application program generation communication event, first filtration drive is obtained the relevant IP address of this communication event, port number information and corresponding process ID according to the communication event that is taken place;
S603, first filtration drive send to second filtration drive that is deployed between protocol-driven and the network interface card driving with the IP address that obtains, port number information and corresponding process ID;
S604, second filtration drive receive IP address, port number information and corresponding process ID and preservation;
S605, when second filtration drive receives the message of application program transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID under the said message;
S606, second filtration drive be according to the corresponding access control policy of each process ID that is provided with in advance, and the communication event of this application program is carried out corresponding access control operation.
The practical implementation process of above-mentioned steps S601-S605 and the implementation process of step S301-S305 are similar, repeat no more at this, in above-mentioned steps S606; Second filtration drive (for example the NDIS intermediate layer drives) can be according to original traffic set; To the message of specific process, do personalizedly and handle, such as: to the message encryption of certain application program transmission; To the message deciphering that receives, with the protection business datum; To the process of browser class, if its visit outer net IP, except specific server ip, remaining packet all abandons, and can guarantee that this machine can only visit website specific in the outer net; Perhaps the NDIS intermediate layer drives the packet that application programs sends and all is left intact or the like.
Based on same inventive concept; The embodiment of the invention also provides a kind of the know device of the affiliated process of message, the access control apparatus and the network communication equipment of application program; Because the principle that these devices are dealt with problems with equipment is similar with the access control method of the aforementioned method of knowing the affiliated process of message and application program; Therefore the enforcement of this device and equipment can repeat part and repeat no more referring to the enforcement of preceding method.
A kind of device of knowing the affiliated process of message that the embodiment of the invention provides, as shown in Figure 7, comprising:
The first filtration drive module 701 is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module 702 according to the communication event that is taken place;
The second filtration drive module 702 is deployed between the driving of protocol-driven and network interface card, is used to receive IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving,, confirm the process ID that this message is affiliated according to the IP address that receives, port and corresponding process ID.
Further, the above-mentioned first filtration drive module 701, the TCP and/or the UDP communication operation that specifically are used for application programs are monitored.
Further, the above-mentioned first filtration drive module 701 specifically is used for the said IP address that obtains, port number information and corresponding process ID are carried at the IRP instruction, and this IRP instruction is sent to the said second filtration drive module.
Further, the above-mentioned first filtration drive module 701 specifically is used to intercept and capture the instruction bag or the packet of communication event, according to the IP address that comprises in instruction bag or the packet, port number information and corresponding process ID.
Further, the above-mentioned second filtration drive module 702 also is used for after the process ID of the IP address that receives 701 transmissions of the first filtration drive module, port and correspondence, sends confirmations of receipt to the first filtration drive module 701;
Correspondingly, the above-mentioned first filtration drive module 701 also is used for after the confirmation of receipt that receives 702 transmissions of second filtration drive, and the instruction bag or the packet of the communication event that clearance is intercepted and captured let communication event proceed.
Preferably, the above-mentioned first filtration drive module 701 is the TDI filtration drive, and the second filtration drive module 702 drives for the NDIS intermediate layer.
Further; The above-mentioned first filtration drive module 701; Also be used for when intercepting and capturing the instruction bag of said communication event end; Obtain relevant IP address, port number information and the corresponding process ID of this communication event that comprises in the said instruction bag, the IP address that gets access to, port number information and corresponding process ID are carried in the instruction of indicating this communication event to finish send to the said second filtration drive module 702;
The second filtration drive module 702 also is used for the instruction according to this communication event end of indication of the first filtration drive module, 701 transmissions, the record of the process ID of the local IP address that matches of preserving of deletion, port number information and correspondence.
The access control apparatus of a kind of application program that the embodiment of the invention provides, as shown in Figure 8, comprising:
The first filtration drive module 801 is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module 802 according to the communication event that is taken place;
The second filtration drive module 802 is deployed between the driving of protocol-driven and network interface card, is used to receive said IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving; According to the IP address that receives, port and corresponding process ID; Confirm the process ID that said message is affiliated; And, the communication event of this application program is carried out corresponding access control operation according to the corresponding access control policy of each process ID that is provided with in advance.
A kind of network communication equipment that the embodiment of the invention provides, what comprise that the embodiment of the invention provides above-mentionedly knows the device of process under the message and/or the access control apparatus of the above-mentioned application program that the embodiment of the invention provides.
Through the description of above execution mode, those skilled in the art can be well understood to the embodiment of the invention and can realize through hardware, also can realize by the mode that software adds necessary general hardware platform.Based on such understanding; The technical scheme of the embodiment of the invention can be come out with the embodied of software product, this software product can be stored in a non-volatile memory medium (can be CD-ROM, USB flash disk; Portable hard drive etc.) in; Comprise some instructions with so that computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the sketch map of a preferred embodiment, module in the accompanying drawing or flow process might not be that embodiment of the present invention is necessary.
It will be appreciated by those skilled in the art that the module in the device among the embodiment can be distributed in the device of embodiment according to the embodiment description, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
Method, access control method, device and the network communication equipment of knowing the affiliated process of message that the embodiment of the invention provides, the communication event that is deployed in the first filtration drive application programs between AFD driving and the protocol-driven is monitored; The IP address that the obtaining communication incident is relevant, port number information and corresponding process ID; And send to and be deployed in protocol-driven and network interface card second filtration drive between driving; Like this, second filtration drive can be according to the IP address and/or the port number information of this message when receiving the message of application program transmitting-receiving; And the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that this message is affiliated.And then can use without the control that conducts interviews of the corresponding access control policy application programs of process ID; The problem that the lower level (in the kernel) that the embodiment of the invention has solved network service is known process ID under the message has realized the access control of application programs granularity.
Obviously, those skilled in the art can carry out various changes and modification to the present invention and not break away from the spirit and scope of the present invention.Like this, belong within the scope of claim of the present invention and equivalent technologies thereof if of the present invention these are revised with modification, then the present invention also is intended to comprise these changes and modification interior.
Claims (16)
1. a method of knowing the affiliated process of message is characterized in that, comprising:
The communication event that drives the first filtration drive application programs of disposing between AFD and the protocol-driven in miscellaneous function is monitored;
When monitoring when having application program generation communication event; Said first filtration drive is obtained the process ID of the relevant IP address of this communication event, port number information and correspondence and is sent to second filtration drive that is deployed between protocol-driven and the network interface card driving according to the communication event that is taken place;
Second filtration drive receives said IP address, port number information and corresponding process ID and preservation;
When said second filtration drive receives the message of application program transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that said message is affiliated.
2. the method for claim 1 is characterized in that, the communication event of the first filtration drive application programs is monitored, and comprising:
The transmission control protocol TCP of the said first filtration drive application programs and/or UDP UDP communication operation are monitored.
3. the method for claim 1 is characterized in that, the said IP address that the TDI filtration drive will be obtained, port number information and corresponding process ID send to second filtration drive, comprising:
The said IP address that said first filtration drive will be obtained, port and corresponding process ID are carried in the IRP instruction, and said IRP instruction is sent to said second filtration drive.
4. like each described method of claim 1-3, it is characterized in that first filtration drive is obtained the relevant IP address of this communication event, port number information and corresponding process ID according to the communication event that is taken place, and specifically comprises:
First filtration drive is intercepted and captured the instruction bag of the communication event that is taken place, and obtains relevant IP address, port number information and the corresponding process ID of this communication event that comprises in the said instruction bag.
5. method as claimed in claim 4 is characterized in that, first filtration drive sends to said IP address, port number information and corresponding process ID after second filtration drive, also comprises:
First filtration drive receives the confirmation of receipt that second filtration drive is sent;
First filtration drive is according to said confirmation of receipt, and the instruction bag or the packet of the communication event that clearance is intercepted and captured let communication event proceed.
6. like each described method of claim 1-3, it is characterized in that, also comprise:
When said first filtration drive is intercepted and captured when intercepting and capturing the instruction bag of said communication event end; Obtain relevant IP address, port number information and the corresponding process ID of this communication event that comprises in the said instruction bag, the IP address that gets access to, port number information and corresponding process ID are carried in the instruction of indicating this communication event to finish send to said second filtration drive;
Said second filtration drive is according to the instruction of this communication event end of indication of first filtration drive transmission, the record of the process ID of the local IP address that matches of preserving of deletion, port number information and correspondence.
7. the access control method of an application program is characterized in that, comprising:
The communication event of the first filtration drive application programs of between AFD driving and protocol-driven, disposing is monitored;
When monitoring when having application program generation communication event; Said first filtration drive is obtained the process ID of the relevant IP address of this communication event, port number information and correspondence and is sent to second filtration drive that is deployed between protocol-driven and the network interface card driving according to the communication event that is taken place;
Second filtration drive receives said IP address, port number information and corresponding process ID and preservation;
When said second filtration drive receives the message of process transmitting-receiving, according to IP address and/or the port number information in this message, and the IP address of being preserved, port number information and corresponding process ID, confirm the process ID that said message is affiliated;
Said second filtration drive is according to the corresponding access control policy of each process ID that is provided with in advance, and the communication event of this application program is carried out corresponding access control operation.
8. a device of knowing the affiliated process of message is characterized in that, comprising:
The first filtration drive module is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module according to the communication event that is taken place;
The second filtration drive module is deployed between the driving of protocol-driven and network interface card, is used to receive said IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving,, confirm the process ID that said message is affiliated according to the IP address that receives, port and corresponding process ID.
9. device as claimed in claim 8 is characterized in that, the said first filtration drive module, and the TCP and/or the UDP communication operation that specifically are used for application programs are monitored.
10. device as claimed in claim 8; It is characterized in that; The said first filtration drive module specifically is used for the said IP address that obtains, port number information and corresponding process ID are carried at the IRP instruction, and said IRP instruction is sent to the said second filtration drive module.
11. like each described device of claim 8-10; It is characterized in that; The said first filtration drive module specifically is used to intercept and capture the instruction bag or the packet of communication event, obtains the IP address, port number information and the corresponding process ID that comprise in said instruction bag or the packet.
12. device as claimed in claim 11; It is characterized in that; The said second filtration drive module also is used for after the process ID of the IP address that receives the transmission of the first filtration drive module, port and correspondence, sending confirmation of receipt to the said first filtration drive module;
The said first filtration drive module also is used for after the confirmation of receipt that receives the transmission of second filtration drive, and the instruction bag or the packet of the communication event that clearance is intercepted and captured let communication event proceed.
13. like each described device of claim 8-10; It is characterized in that; The said first filtration drive module; Also be used for when intercepting and capturing the instruction bag of said communication event end, obtain relevant IP address, port number information and the corresponding process ID of this communication event that comprises in the said instruction bag, the IP address that gets access to, port number information and corresponding process ID are carried in the instruction of indicating this communication event end send to the said second filtration drive module;
The second filtration drive module also is used for the instruction according to this communication event end of indication of first filtration drive module transmission, the record of the process ID of the local IP address that matches of preserving of deletion, port number information and correspondence.
14., it is characterized in that the said first filtration drive module is the TDI filtration drive like each described device of claim 8-10, the said second filtration drive module drives for the NDIS intermediate layer.
15. the access control apparatus of an application program is characterized in that, comprising:
The first filtration drive module is deployed between AFD driving and the protocol-driven, and the communication event that is used for application programs is monitored; When monitoring when having application program generation communication event,, obtain the relevant IP address of this communication event, port number information and corresponding process ID and send to the second filtration drive module according to the communication event that is taken place;
The second filtration drive module is deployed between the driving of protocol-driven and network interface card, is used to receive said IP address, port number information and corresponding process ID and preservation; And when receiving the message of application program transmitting-receiving; According to the IP address that receives, port and corresponding process ID; Confirm the process ID that said message is affiliated; And, the communication event of this application program is carried out corresponding access control operation according to the corresponding access control policy of each process ID that is provided with in advance.
16. a network communication equipment is characterized in that, comprises that each describedly knows the device of process under the message and/or the access control apparatus of application program as claimed in claim 15 like claim 8-14.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110415519.2A CN102438016B (en) | 2011-12-13 | 2011-12-13 | Method for acquiring subordinate progress of message, access control method and device, and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110415519.2A CN102438016B (en) | 2011-12-13 | 2011-12-13 | Method for acquiring subordinate progress of message, access control method and device, and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102438016A true CN102438016A (en) | 2012-05-02 |
| CN102438016B CN102438016B (en) | 2015-07-22 |
Family
ID=45985888
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110415519.2A Active CN102438016B (en) | 2011-12-13 | 2011-12-13 | Method for acquiring subordinate progress of message, access control method and device, and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102438016B (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150240A (en) * | 2013-03-19 | 2013-06-12 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
| CN106302162A (en) * | 2016-08-23 | 2017-01-04 | 大连网月科技股份有限公司 | A kind of client-based application type intelligent identification Method and device |
| CN106484589A (en) * | 2015-08-28 | 2017-03-08 | 腾讯科技(深圳)有限公司 | Monitoring method and device that port accesses |
| WO2018192007A1 (en) * | 2017-04-20 | 2018-10-25 | 网宿科技股份有限公司 | Data packet transmission method and system |
| CN109067793A (en) * | 2018-09-25 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of method that realizing security protection, equipment and storage medium |
| CN109298890A (en) * | 2017-07-25 | 2019-02-01 | 西安中兴新软件有限责任公司 | A kind of method and device configuring NDIS equipment |
| CN109660535A (en) * | 2018-12-17 | 2019-04-19 | 郑州云海信息技术有限公司 | The treating method and apparatus of data in linux system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060020854A1 (en) * | 2004-07-22 | 2006-01-26 | International Business Machines Corporation | Method and apparatus for high-speed network adapter failover |
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101895529A (en) * | 2010-05-31 | 2010-11-24 | 上海网宿科技股份有限公司 | Method for judging process of TCP/IP packet in driver layer |
-
2011
- 2011-12-13 CN CN201110415519.2A patent/CN102438016B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060020854A1 (en) * | 2004-07-22 | 2006-01-26 | International Business Machines Corporation | Method and apparatus for high-speed network adapter failover |
| CN101211309A (en) * | 2006-12-29 | 2008-07-02 | 中兴通讯股份有限公司 | Embedded system progress abnormal tracking position-finding method |
| CN101895529A (en) * | 2010-05-31 | 2010-11-24 | 上海网宿科技股份有限公司 | Method for judging process of TCP/IP packet in driver layer |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103150240A (en) * | 2013-03-19 | 2013-06-12 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
| CN103150240B (en) * | 2013-03-19 | 2015-04-08 | 天脉聚源(北京)传媒科技有限公司 | Method and system for monitoring application process |
| CN106484589A (en) * | 2015-08-28 | 2017-03-08 | 腾讯科技(深圳)有限公司 | Monitoring method and device that port accesses |
| CN106484589B (en) * | 2015-08-28 | 2020-06-30 | 腾讯科技(深圳)有限公司 | Port access monitoring method and device |
| CN106302162A (en) * | 2016-08-23 | 2017-01-04 | 大连网月科技股份有限公司 | A kind of client-based application type intelligent identification Method and device |
| WO2018192007A1 (en) * | 2017-04-20 | 2018-10-25 | 网宿科技股份有限公司 | Data packet transmission method and system |
| US10979512B2 (en) | 2017-04-20 | 2021-04-13 | Wangsu Science & Technology Co., Ltd. | Method and system of data packet transmission |
| CN109298890A (en) * | 2017-07-25 | 2019-02-01 | 西安中兴新软件有限责任公司 | A kind of method and device configuring NDIS equipment |
| CN109067793A (en) * | 2018-09-25 | 2018-12-21 | 郑州云海信息技术有限公司 | A kind of method that realizing security protection, equipment and storage medium |
| CN109660535A (en) * | 2018-12-17 | 2019-04-19 | 郑州云海信息技术有限公司 | The treating method and apparatus of data in linux system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102438016B (en) | 2015-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102438016B (en) | Method for acquiring subordinate progress of message, access control method and device, and equipment | |
| KR102110698B1 (en) | Terminal interconnection method, device and storage medium | |
| CN101931626B (en) | Service terminal realizing safe auditing function in remote control process | |
| CN104579796A (en) | Remote network equipment maintenance method, remote network equipment maintenance system and terminal | |
| CN102035904A (en) | Method for converting TCP network communication server into client | |
| CN103812829B (en) | A kind of method, remote desktop server and system for improving remote desktop security | |
| CN104065731A (en) | FTP file transfer system and transfer method | |
| CN105337831A (en) | Virtual private network implementation method and client device | |
| CN102143088B (en) | Method and equipment for forwarding data based on security socket layer (SSL) virtual private network (VPN) | |
| CN108390937B (en) | Remote monitoring method, device and storage medium | |
| CN105306414A (en) | Port vulnerability detection method, device and system | |
| CN106330479A (en) | Equipment operation and maintenance method and equipment operation and maintenance system | |
| CN102984165B (en) | Wireless network secure supervisory control system and method | |
| CN101605136B (en) | A method and an apparatus for Internet protocol security IPSec processing to packets | |
| CN101383814B (en) | Device and method implementing data access based on connection pool | |
| CN104199683A (en) | ISO mirror image document loading method and device | |
| DE60222455T2 (en) | Creation of command and data scripts for use by a personal security device | |
| CN110830434A (en) | Universal transparent proxy method | |
| CN114615082A (en) | System and method for simulating TCP duplex safety communication by using forward and reverse network gates | |
| CN113360475A (en) | Data operation and maintenance method, device and equipment based on intranet terminal and storage medium | |
| CN104811507A (en) | IP address acquiring method and IP address acquiring device | |
| CN103475491A (en) | Remote maintenance system which is logged in to safely without code and achieving method | |
| CN113489770A (en) | Inter-container communication method, electronic device, and computer-readable storage medium | |
| CN202351855U (en) | Upgrading system for IO (Input/Output) expansion board | |
| CN112511562A (en) | Cross-network data transmission system based on one-way isolation all-in-one machine and cloud desktop technology |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |